What is the best way to connect Meraki WAN Switch stack management/uplink?
Using Meraki MX250 HA configuration. Also using two Meraki switches as WAN switch stack, located between FA HA pair and ISP routers. We need to manage WAN switch stack,it will not have IP assigned to any VLANs (non routed transit VLAN) used to transmit traffic between ISP and FW.
When we were using CISCO switches, we had management link connected to LAN management subnet. I am planning to do the same to Meraki WAN switch stack as well. In this case, management IP will be one of our LAN switch management IP. To get access to Meraki cloud, this switch will need to go through LAN, then FW and to Internet via its non routed transit VLAN. In this case Management port is behind FW and no one can access inbound from Internet.
Within our team, we had discussion on this and some other team members suggest, assign a public Internet address to Meraki switch management VLAN/port as it need to access Internet/Meraki Cloud for management purpose. As the management IP of the managed switch has to be in the same VLAN as Internet pass through VLAN, I can only assign a WAN public IP as the management IP of this switch. The disagreement with this suggestion is, as there is no security protection available for management port as it will be outside our FW. The argument and benefit details put forward for this setup, even if the FW is down, WAN switch stack can be managed via Meraki cloud, and possibly capture traffic on Internet pass through VLAN port and analyse it for troubleshooting purpose. If we had issue with Internet connection, it will help to identify whether issue is with FW HA or WAN switch.
What is the best way to deal with this? to be able to manage via Meraki cloud, we will definitely need an managment IP/VLAN configured on this switch.
Re: What is the best way to connect Meraki WAN Switch stack management/uplink?
@Hetes both of the suggested methods are valid - either using an internal IP address and connecting an access port in the management VLAN back to the inside network, or using an external IP address and using the WAN VLAN. I expect you'll get a number of opinions here too.
My approach would be to use a WAN IP address if you have one you can spare (that's often the limiting factor we hit). In this scenario, as you point out, you can access the switches even if the MX is down for some reason. Only outbound access should be made from the switch towards the Meraki cloud, and so long as other features are all switched off (e.g. remote access to the local status page, DHCP, dynamic routing) then the switch shouldn't be listening for inbound connections.
Whichever approach you use I would place the WAN switches in their own network in the Meraki Dashboard so that it doesn't screw with your traffic statistics too much for the 'real' network. Also, if you do use the WAN IP address approach this also allows you to make sure that remote access to the local status page is disabled for the WAN switches (whereas the other networks it could be enabled, depending on your preferences).
When I mention Management/Up link port, I am using port 48 on one of the WAN switch as management/up-link port, not a separate dedicated management Port.
When I use port 48 on a switch as Management/Up-link port, I am not comfortable connecting it directly to Internet as there is not any protection available for the port and my understanding it will be listening as well - it will be prone to DoS attack etc.
As you stated both design are OK, then I will prefer to connect the Management/Up link port to our LAN management network then provide Internet connection via FWs. As you have also mentioned, the drawback is if there are any issue with FW cluster, we will not be able to manage WAN switches or identify whether issue is with WAN switch stack or FW cluster.